RBI's cybersecurity and IT examination cell issued the warning in a confidential circular to banks. ISMG obtained a copy of the circular from a banker who received it.

The cautionary notice was issued in the wake of a rising number of fraudulent transactions using the Unified Payments Interface real-time payment system platform.

There have been reports of customers losing lakhs of rupees from their bank accounts through the UPI app, some security experts say. "The problem is not on the application side. It is a clear case of users being duped by fraudsters through vishing attacks," says Prakash Kumar Ranjan, who was previously with Canara Bank as a security researcher.

The National Payments Corporation of India, an umbrella organization for all retail payments in India, too confirmed this and said a few cases have of AnyDesk fraud have been reported so far. Those attacks begin with vishing.

Fraudsters are using the AnyDesk app to carry out fraudulent transactions through any mobile banking app or payment-related apps, including UPI or wallets.

Emerging Fraud Trends

ReBIT, the IT and security arm of the Reserve Bank of India, in its latest monthly newsletter has highlighted the growing menace of vishing, phishing, card-cloning, e-wallet fraud, financial swindling via social sites.

"As digital banking technologies gain more acceptance, there is a corresponding increase in the risk of sensitive information being socially engineered off unsuspecting customers," says Nandkumar Sarvade, CEO at ReBIT. "Periodic and effective customer awareness programs and multilingual communique will go a long way in mitigating such frauds. Prompt reporting of incidents to RBI will enable timely issuance of advisories which would eventually enhance the resilience of Indian banking landscape to such frauds," he says.

How AnyDesk Scheme Works

The RBI's notification describes how the fraud scheme that leverages AnyDesk works.

First, fraudsters lure victims on some pretext to download AnyDesk app from Playstore. For instance, fraudsters, using a vishing approach, pose as bank employees and call customers saying there is a problem with their bank balance or bank account. The fraudster then asks these customers to install the AnyDesk app.

Once the app is downloaded, it generates a nine digit number, which, when shared with attackers, gives them control and access to the phone. The attackers then ask customers to download the mobile banking app. Because the attackers already have access to the phone, they can see one-time passwords for the banking app. (See: Should India's Banks Drop User-Based OTPs?)

"Once a fraudster inserts this app code on his device, he will ask the victim to grant certain permissions, which are similar to what are required while using other apps," RBI said in an advisory. The fraudster then can carry out transactions without the victim's knowledge.

Fraud Techniques

Fraudsters increasingly are resorting to new techniques to trick customers.

According to the Union finance ministry, the State Bank of India's customers were reportedly robbed of Rs 50.29 crore from their accounts during 2017 and 2018. The bank registered 574 complaints, the most of any of the 53 banks operating in India. The City Union Bank was at the second followed by the American Express Banking Corporation.

All these banks were affected by vishing, phishing and financial swindling via social media, according to a report from ReBIT.

Banks Liable for Fraud

When financial fraud occurs, banks must reverse the unauthorized electronic transaction to the customer's account within 10 working days even if the fault lies with the customer, such as sharing PIN or password, RBI said in a circular last year.

But customers need to report to banks such transactions within seven working days. "This puts all the more onus on banks to create customer awareness with more vigor," Ranjan says.

Remediation measures

"While NPCI is continuously working towards enhancing security of its products and services from such attacks, this type of frauds can be better prevented by consumer education," says Bharat Panchal, NPCI's head of risk management.

"The entire ecosystem, including banks and fintech companies, has to work collectively toward creating awareness and educating customers to refrain from sharing their account/card credentials, OTP/PIN and/or giving access to their mobile handsets to unscrupulous persons through such remote screen access apps," he adds. "The UPI platform is fully secure and is also 2FA enabled."

In addition, banks should closely monitor mobile applications by following the process of "application wrapping," security experts advise. App wrapping involves associating extra security and management features to an app and re-deploying it as a single containerized program in an enterprise app store.

"App wrapping leverages artificial intelligence and machine learning to monitor unusual activities in an app," says Ranjan. "For instance, if there is a transaction which is unusual from the normal pattern - like new device being used to carry out a financial transaction at an odd time - an alert can be generated by the bank," he says.

About the Author

Suparna Goswami is Associate Editor at ISMG Asia and has more than 10 years of experience in the field of journalism. She has covered a variety of beats ranging from global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine, and leading Indian newspapers like DNA and Times of India.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.